I recently came across a Safety Integrity Level (SIL) review of a high level trip on a production separator. Neither the relief valve nor the pressure control valve to flare off the top of the separator are sized for multiphase relief in the event that the liquid outlet should become blocked and the vessel overfill. These protective devices will therefore not stop the vessel overpressuring, especially as the upstream pressure from the wells is several times the design pressure of the separator. So you would think that the high level trip is quite important and intuitively should have a high SIL requirement.
The trip was assessed by Layer of Protection Analysis (LOPA). And this is where the flawed thinking arises. In the assessment, the worst case consequence was assumed to be an overpressure less than the corrected hydrotest pressure of the vessel on the basis that the relief valve and the pressure control valve would open allowing partial pressure relief. So credit is implicitly being taken of protective layers acting to limit the consequence. That’s bad enough logic, but then it is further compounded by claiming a probability of failure on demand (PFD) of 1 in 100 for the relief valve as an independent protective layer (IPL), in effect taking double credit for the relief valve. The end result is a low SIL requirement.
A correct assessment of the situation needs to start with the unmitigated consequence in the absence of any layers of protection – what’s the worst case pressure the vessel can experience and will it rupture? How often is this event likely to happen based on failure of the liquid level control. Then move on to consider what IPLs actually exist which fully mitigate the consequences. Clearly, if the relief valve and the pressure control valve are undersized for a blocked liquid outlet no credit can be taken for them. Even though they may act to limit the extent of the overpressure, their failure to act (which is assessed in LOPA) results in the worst case consequence and this needs to be considered in setting the SIL requirement for the high level trip.
LOPA is a simplified technique which can’t handle IPLs providing partial protection. There are other tools to evaluate this such as fault trees.
Always guard against the tendency to “bend” the rules of a particular technique beyond the bounds of its validity and end up with flawed thinking about an issue. It might be more painful to use a more sophisticated technique but the answer will be robust.